--
--
--
[ Picked text/plain from multipart/alternative ]
Hi THere!
I have been working on getting a site up to support SSL based email
clients for a 'VPN' distributed worker network I need to set up. I
found that evolution and MS Outhouse 5.0, and Netscape 4.0x were not
supported by the STARTTLS mechanism in exim 3.35 under Debian
sid/woody. After playing for hours with stunnel and sslwrap and seeing
all the problems that pertained to this (broken logging of source host,
some clients refusing to deliver through the SSL wrapping daemon),
changing exim turned out to be a good easy solution - all I needed was
SSL/TLS startup on connect added to 'exim -bs' so I could the legacy
support from inetd...
(I do greatly encourage peole to up grade their older MTA clients, but
their machines are/can be too under powered etc. - the Evolution team
should have used STARTTLS, but I guess that it doesn't work well with
some legacy commercial mail servers from a certain big corporation...).
Due to the excellent code structure for TLS in exim, I found the code
changes to be really simple for the rudimentary support needed for these
older MTAs, and only three code insertions of a few lines each needed to
be made, and one simple change to a log message! Since TLS support was
already in exim, getting the SSL on connect wired up to the new -bssmtp
and -bsmtps command line switches was very basic. The execution of
these code segments is controlled via the new global tls_on_connect flag
that gets set by the command line switch. Thus the new code does not
execute at all under normal operation, and so it is very safe to add
it. I have tested it with evolution. I reccomend that it get included
in the next point release of exim 3.3x, and be intergrated into exim
4.0x as it will solve a lot of problems supporting legacy-style SSL SMTP
from various MTAs on Unix/Linux, DOS/windows and MAC OS.
Robert and Mark, you probably want to add this to the Debian exim-tls
package as it takes a major corner off the package.
Two patches are attached, one for the exim src directory (against the
exim-tls tree) (exim-3.35-ssmtp-inetd.patch) - it should cleanly apply
to the stock exim 3.35 tar ball, and one for the changes I made to the
debian directory of the package (exim-3.35-ssmtp-inetd-debian.patch).
Here is the README.ssmtp-MTAs from my new internal version of the
exim-tls package:
Using exim with Evolution, older IE 5.0
and Netscape 4.0x MTAs
=======================================
This version of exim for TLS has had an extra patch applied that enables you
to run exim with these older style SSL MTAs that use the ssmtp port. This is
done via an extra entry in /etc/inetd.conf.
This also gets around the ugliness you get in the logging
from using exim with stunnel (all connections are logged as coming from
localhost - stunnel runs exim on the TCP/IP lo loopback interface!)
and unfunctionality you tend to get with sslwrap...
Instructions:
1. Setup the exim-tls package as per normal to get the normal STARTTLS
functionality working on port 25
2. Add the following line to /etc/inetd.conf:
ssmtp stream tcp nowait mail /usr/sbin/exim /usr/sbin/exim -bsstmp
in the #:MAIL section.
NB: WATCH that port name! Putting in 'smtps' instead of 'ssmtp' will mean that
exim will not run as a daemon under the Debian exim startup scripts!
3. HUP inetd with 'killall -HUP inetd' to make the new configuration take
effect.
4. Test the setup with the telnet from the telnet-ssl package with the
following command:
telnet -z ssl localhost ssmtp
All going well you should get an SMTP prompt.
5. Failing that, try:
telnet localhost ssmtp
to pick up any un SSLed error messages about the SSL configuration.
6. Other than that try:
openssl s_client -connect localhost:ssmtp -state [-debug]
to get an idea of what may be going on. The -debug switch will do a
binary and ASCII dump of the SSL converstaion. SSL can be pretty hairy if
not set up correctly...
Have a good time enjoying evolution and exim-tls!
Matthew Grant <grantma@???> Mon, 1 Apr 2002 11:23:24 +1200
Enjoy!
Best Regards,
Matthew Grant
--
===============================================================================
Matthew Grant /\ ^/\^ grantma@??? /~~~~\
A Linux Network Guy /~~\^/~~\_/~~~~~\_______/~~~~~~~~~~\____/******\
===============================================================================
--
[ Content of type text/x-patch deleted ]
--
[ Content of type text/x-patch deleted ]
--
Content-Description: This is a digitally signed message part
[ signature.asc of type application/pgp-signature deleted ]
--
